Yesterday with both the House and Senate meeting in proforma
session (almost no one present) there were 15 bills introduced. One of these
bills will receive future consideration in this blog:

HR
4217 To amend the Homeland Security Act of 2002 to develop tools to help
State and local governments establish or improve cybersecurity, and for other
purposes.Rep.
Katko, John [R-NY-24]

This bill would (text has already been published) would
establish three separate cybersecurity grant programs for State and local
governments.

Interesting side note: While Congresscritters are not in
Washington, staffs certainly are. The House Homeland Security Committee filed
six committee reports in yesterday’s session. Two of those (HR
3318 and HR
3710) will likely be addressed here in more detail when the reports are
actually published next week.

Thursday, August 29, 2019

Today the DHS NCCIC-ICS published two medical device control
system security advisories for products from Philips and Change Healthcare.

Philips Advisory

This advisory
describes a use of obsolete function vulnerability in the Philips HDI 4000
Ultrasound Systems. The vulnerability was
reported by Check Point. Philips has provided generic measure to mitigate
the vulnerability and reports that the devices reached end-of-support in December
of 2013. There is no indication that the researchers have been provided an
opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with
access to the local subnet could use publicly available exploits to exploit the
vulnerability to lead to exposure of ultrasound images (breaches of
confidentiality) and compromised image integrity.

Change Healthcare Advisory

This advisory
describes an incorrect default permissions vulnerability in the Change
Healthcare Cardiology Devices. The vulnerability was reported by Alfonso Powers
and Bradley Shubin of Asante Information Security. Change Healthcare has a patch
to mitigate the vulnerability. There is no indication that the researchers have
been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with
authenticated access can exploit the vulnerability to allow a locally
authenticated user to insert specially crafted files that could result in
arbitrary code execution.

Yesterday the OMB’s Office of Information and Regulatory
Affairs announced
that it had received a proposed revision for NIST SP
800-18, Guide for Developing System Security Plans, for review. This guide
for federal information-system security planners was originally published in
1998 and updated in 2006. It will be a while before OIRA approves this document
and we see an official version.

A lot has changed in the IT security world since 2006; new technologies and vulnerabilities. This should be a major re-write. The (okay 'a') big question is: will they address OT security for building control systems and security systems for data centers?

Tuesday, August 27, 2019

Today the DHS NCCIC-ICS published two control system
security advisories for products from Datalogic and Delta Controls.

Datalogic Advisory

This advisory
describes an authentication bypass using an alternate path or channel
vulnerability in the Datalogic AV7000 Linear Barcode Scanner. The vulnerability
was reported by Tri Quach and Blake Johnson of Amazon’s Customer Fulfillment Technology
Security (CFTS) group. Datalogic has a new firmware version that mitigates the
vulnerability. There is no indication that the researchers have been provided
an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an attacker to remotely
execute arbitrary code.

Delta Controls Advisory

This advisory
describes a buffer overflow vulnerability in the Delta Controls enteliBUS
Controllers. The vulnerability was reported by Douglas McKee @fulmetalpackets
and contributing researcher Mark Bereza @ROPsicle of McAfee Advanced Threat
Research. Delta Controls has a new version that mitigates the vulnerability.
There is no indication that the researchers have been provided an opportunity
to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an attacker to remotely
execute arbitrary code.

Recently the DHS Infrastructure Security Compliance Division
(ISCD) provided links to a number of new and updated information documents
related to the Chemical Facility Anti-Terrorism Standards (CFATS) program.
Links were provided on either the CFATS Knowledge
Center page or the CFATS
Resources page.

I have not done (and probably will not do) a detailed review
of the revised documents. These are ‘fact sheets’ and those are seldom (if
ever) used to announce new policy. If new policy were involved, we would have
seen a more formal announcement of the revised documents. I suspect that this
was mainly a branding exercise for the new Cybersecurity and Infrastructure
Security Administration (CISA).

The odd one on the list above was the EAP guidance document.
It was not rebranded with the CISA format or logo. There is no date on the
document, so I am not even sure that it was revised. It was listed on the top
of the ‘User Manuals’ column of the CFATS Knowledge Center, so ISCD is apparently
attempting to at least call attention to the manual. The EAP program was
mandated by Congress in the first re-write of the CFATS legislation and may not
survive the second re-write. It has not been used by more than a handful of
facilities, but that is more because it was introduced after the vast majority
of facilities had already submitted proposed Site Security Plans under the
existing program than it was because of any problems with the EAP.

Most of the documents listed above have dates back in May. I
am not sure when they were actually published or the links made available. A
couple of years ago DHS generally stopped putting date of change notices on
their web pages. With web sites that are as voluminous as the CFATS program this
makes it very difficult to keep up with the changes. I had hoped with the rise
of CISA (and the fall of NPPD, its predecessor) that we would see a change in
this policy. Every once-in-a-while a ‘last published date’ slips in (see here),
but I have not seen any indication that this is more than the action of isolated
web-scriptors trying to do right.

Saturday, August 24, 2019

This week we have two vendor disclosures for products from Bosch
and Schneider and an update from Schneider.

Bosch Advisory

Bosch published an advisory
describing three vulnerabilities in their ProSyst mBS SDK and Bosch IoT Gateway
Software. The vulnerabilities are being self-reported. Bosch has new versions
that mitigate the vulnerabilities.

The three reported vulnerabilities are:

• Path traversal - CVE-2019-11601;

• Server-side request forgery - CVE-2019-11897; and

• Information exposure through an error message - CVE-2019-11602

Schneider Advisory

Schneider published an advisory
for the latest Microsoft® Remote Desktop Services (DejaBlue)
vulnerabilities in their products running on machines using various MS
operating systems. Generic mitigations are provided. Schneider does provide the
following warning about applying the MS patches that should mitigate these vulnerabilities:

“Please note that as of the date of
this publication, it is unclear how Microsoft’s patches and updates will affect
systems performance. Therefore, customers should proceed with caution when
applying these patches to critical operating systems and/or
performance-constrained systems. We strongly recommend evaluating the impact of
these patches in a Test and Development environment or on an offline
infrastructure.”

NOTE: This advisory has already been updated twice.

Schneider Update

Schneider published an
update for their advisory on the Wind River VxWorks vulnerabilities in
their products. They changed the affected products list by:

Tuesday, August 20, 2019

Today the DHS NCCIC-ICS published a control system security advisory for products from Zebra and two updates for advisories for products from Siemens and Sierra Wireless.

Zebra Advisory

This advisory describes an insufficiently protected credentials vulnerability in the Zebra Industrial Printers. The vulnerability was reported by Tri Quach. Zebra has a new version that mitigates the vulnerability. There is no indication that Tri has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow a remote attacker to send specially crafted packets to a port on the printer, resulting in the retrieval of a front control panel passcode.

Siemens Update

This update provides new information on an advisory that was originally published on August 13th, 2019. NCCIC-ICS changed the vulnerability description from ‘uncontrolled resource consumption’ to ‘insufficient resource pool’. There was no corresponding change in the Siemens advisory; Siemens does not use CWE vulnerability titles or codes in their advisories.

Sierra Wireless Update

This update provides new information on an advisory that was originally published on May 2nd, 2019. The update reports that the ALEOS 4.12.0 Release Note is now available.

Monday, August 19, 2019

Last month Sen. Cantwell (D,WA) introduced S 2333,
the Energy Cybersecurity Act of 2019. The bill would require the Department of
Energy to address electric grid cybersecurity, resiliency and risk assessment
issues. This bill is essentially identical to S
2444 from last session which was also introduced by Cantwell. No action was
taken on the earlier bill.

Cantwell is still a senior member of the Senate Energy and
Natural Resources Committee to which this bill was assigned for consideration.
That was not enough last session to ensure that the bill was considered in
Committee. The problem remains the authorization for the expenditure of funds
for the various programs in bill. It is unlikely that the new budget agreement
reached just before the Senate left for summer recess will change the funding
situation.

Last Friday the OMB’s Office of Information and Regulatory Affairs
(OIRA) announced
that it had approved an information collection request (ICR) for a Surface
Transportation Stakeholder Survey to be conducted by the TSA. The survey was
mandated by Congress in §1983 of the FAA Reauthorization Act of 2018 (HR 302
from the 115th Congress, it was signed as PL115-254, but that law has
not yet been published).

Stakeholder Survey

Congress required the TSA to conduct a survey of surface
transportation security stakeholder “regarding resource challenges, including
the availability of Federal funding, associated with securing such assets that
provides an opportunity for respondents to set forth information on specific
unmet needs” {§1983(a)}. TSA reports
[.DOCX download link] that it will be offering the survey to 3,200 organization
“with whom TSA has established working relationships” (pg 1). It only expects
that about 20% of those organizations to respond during the 21-days that TSA
will have the survey available on their web site. This accounts for the 641
surveys expected to be collected under this ICR.

OIRA published
[.DOCX download link] a copy of the
questions that will be asked on the TSA’s Survey Monkey operated web site for
the survey (the URL is not available in the ICR documents). The questions are a
relatively broad look at the application of federal grant programs to support
surface transportation security efforts. The last two questions directly
address the congressional mandate to provide “an opportunity for respondents to
set forth information on specific unmet needs.”

TSA is not going to meet the 120-day deadline for conducting
the survey that was established in HR 302. Given the requirement to get OMB
approval to conduct the information collection, that deadline was never
reasonably set. It took TSA almost that long to put the information together necessary
to publish the 60-day ICR notice in March of this year. The 30-day ICR notice quickly followed the close of the comment period on the first ICR notice and it only took
OIRA a little more than 2-months to approve the ICR, a remarkably short time
for ORIA approval.

TSA will probably not provide a notice in the Federal
Register concerning the publication of the survey on a TSA web site. The congressional
mandate was to collect information from “stakeholders responsible for securing
surface transportation assets”, not the public, community organizations or emergency
response personnel. Thus, TSA will directly contact organizations with whom it
has established relationships as well as surface transportation trade
associations to announce the start of the survey period and the location of the survey web site.

Commentary

I am concerned that there is no mention of cybersecurity in
the survey; not even a hint that TSA was including cybersecurity challenges in
the surface transportation efforts being surveyed. This is not entirely TSA’s
fault, the congressional mandate for this survey did not include any mention of
cybersecurity either. Hopefully, the stakeholders being surveyed will be able
to read between the lines and will specifically include mention of the concerns
that they have about cybersecurity efforts in protecting surface transportation
assets from outsider (and insider) attacks.

Saturday, August 17, 2019

This week we have eight vendor notifications from Schneider
(7) and Siemens; updates for four previouls published advisories from Schneider
(2) and Siemens (2); as well as two exploit reports for previously published
vulnerabilities in products from Wind River, and Cisco.

Schneider Advisories

Magelis Advisory

Schneider published an
advisory describing an improper check for unusual or exceptional conditions
vulnerability in their Magelis HMI Panel products. The vulnerability was
reported by VAPT Team. Schneider provides generic workarounds to mitigate the vulnerability.
There is no indication that the researchers have been provided an opportunity
to verify the efficacy of the fix.

Modicon 340 Advisory

Schneider published an
advisory describing an improper check for unusual or exceptional conditions
vulnerability in their Modicon M340 controllers. The vulnerability was reported
by VAPT Team. Schneider provides generic workarounds to mitigate the vulnerability.
There is no indication that the researchers have been provided an opportunity
to verify the efficacy of the fix.

Modicon Advisory

Schneider published an
advisory describing three improper check for unusual or exceptional
conditions vulnerabilities in their Modicon Ethernet / Serial RTU Modules. The
vulnerability was reported by VAPT Team. Schneider provides generic workarounds
to mitigate the vulnerability. There is no indication that the researchers have
been provided an opportunity to verify the efficacy of the fix.

SoMachine Advisory

Schneider published an
advisory describing an untrusted search path vulnerability in their SoMachine
HVAC. The vulnerability was reported by Yongjun Liu of the nsfocus security
team. Schneider has a new version that mitigates the vulnerability. There is no
indiction that Yonguin has been provided an opportunity to verify the efficacy
of the fix.

TelevisGo Advisory

Schneider published an
advisory describing 22 vulnerabilities in the third party UltraVNC (remote
accesss) software component embedded within the TelevisGo product. The vulnerabilities
were reported by Kaspersky Labs. Schneider has a hot-fix available that
mitigates the vulnerability. There is no indication that the researchers have
been provided an opportunity to verify the efficacy of the fix.

Schneider published an
advisory describing a deserialization of trusted data vulnerability in their
Software Update (SESU) SUT Service. The vulnerability was reported by Amir
Preminger of Claroty. Schneider has a new version that mitigates the vulnerability.
There is no indication that Preminger has been provided an opportunity to
verify the efficacy of the fix.

spaceLYnk Advisory

Schneider published an
advisory describing an authentication vulnerability in their spaceLYnk and Wiser for KNX controllers. The
vulnerability was reported by Sumedt Jitpukdebodin. Schneider has new versions
that mitigate the vulnreabilty. There is no indication that Jitpukdebodin has
been provided an opportunity to verify the efficacy of the fix.

Schneider published an
update for an advisory that was originally published on May 24th,
2017. New information includes:

• Updated researcher acknowledgement section;

• Corrected CVE ID from CVE-2017-6028 to
CVE-2017-6034; and

• Corrected vulnerability description

Siemens Advisory

Siemens published an
advisory describing two vulnerabilities in their SIMATIC S7-1200 and
SIMATIC

S7-1500 CPU families. The vulnerabilities were
reported by Eli Biham, Sara Bitan, Aviad Carmel, and Alon Dankner, Uriel
Malin, and Avishai Woo. Siemens has generic workarounds that mitigate the
vulenrabilities. There is no indication that the researchers have been provided
an opportunity to verify the efficacy of the fix.

Siemens published an update
for an advisory that was originally published on November 27th, 2019.
New information includes:

• Added CVE-2018-19591, CVE-2019-11360,
CVE-2019-13272; and

• Moved CVE2018-16862 from buildtime to runtime
relevant

Cisco Exploit

Angelo Ruwantha published a Metasploit module
for a vulnerability in the Cisco Adaptive Security Appliance; Cisco published an
advisory on this vulnerability on June 6thy, 2018. NCCIC-ICS published an
advisory for Rockwell Automation Allen-Bradley Stratix 5950 listing this
vulnerability.

WindRiver (Urgent/11) Exploit

Zhou Yu published
an exploit for an integer overflow vulnerability in the Wind River VxWorks (one
of the Urgent/11 vulnerabilities).

Friday, August 16, 2019

Yesterday the DHS NCCIC-ICS published four control system
security advisories for products from Siemens (2), Fuji Electric, and Johnson
Controls.

SINAMICS Advisory

This advisory
describes an uncontrolled resource consumption vulnerability in the web server
of the Siemens SINAMICS control units. The vulnerability is self-reported.
Siemens has updates available to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an attacker to perform a
denial-of-service attack.

SCALANCE Advisory

This advisory
describes two instances of an improper adherence to coding standards vulnerability
in the Siemens SCALANCE products. The vulnerability is self-reported.
Siemens has an update available that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to lead to a denial of service or could allow an
authenticated local user with physical access to the device to execute
arbitrary commands on the device.

NOTE: There are still two advisories and an update that were
published
by Siemens earlier this week that have not been addressed by NCCIC-ICS. I will
report further on them tomorrow.

Fuji Advisory

This advisory
describes a stack-based buffer overflow in the Fuji Alpha5 Smart Loader servodrive. The vulnerability was reported by Natnael
Samson (@NattiSamson) via the Zero Day Initiative. Fuji has a new version that
mitigates the vulnerability. There is no indication that Samson has been
provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with
uncharacterized access could exploit the vulnerability to allow an attacker to
execute code under the privileges of the application.

Johnson Controls Advisory

This advisory
describes two vulnerabilities in the Johnson Controls Metasys building
automation system. The vulnerability was reported by harpocrates.ghost. Johnson
Controls has a new version that mitigates the vulnerabilities. There is no
indication that the researcher has been provided an opportunity to verify the
efficacy of the fix.

The two reported vulnerabilities are:

• Reusing a nonce, key-pair in an encryption - CVE-2019-7593;
and

• Use of hard-coded cryptographic key - CVE-2019-7594

NCCIC-ICS reports that an uncharacterized attacker could
remotely exploit these vulnerabilities to decrypt captured network traffic.

Thursday, August 15, 2019

Last month Rep. Perry (R,PA) introduced HR 3787,
the DHS Countering Unmanned Aircraft Systems Coordinator Act. The bill would
require the DHS Secretary to designate a Counter Unmanned Aircraft Systems
(UAS) Coordinator to “coordinate with relevant Department offices and
components on the development of policies and plans to counter threats
associated with UAS” {new §321(a)}.
The bill is functionally identical to HR
6438 which was passed
in the House in the 115th Congress. A related bill, S
1867, was introduced in June in the Senate.

The only difference in this bill and last years House bill
is the absence of some administrative house cleaning measures in §2(b) of the
bill that were addressed in Homeland Security spending bill passed earlier this
year.

Moving Forward

Perry is no longer a member of the House Homeland Security
Committee, the committee to which this bill was assigned for consideration.
This means that, unless he gets a cosponsor for the bill who is on the
Committee, there is little chance that the bill will be considered.

The bill did get bipartisan support in the 115th
Congress and it almost certainly would in this session as well.

Commentary

As I mentioned last year, this bill does not provide for any
exceptions to a number of federal statutes that would currently prohibit
private sector organizations taking any actions to intercept, take down, or
track the owner of a UAS. DOD has been provided substantial (almost sweeping)
authority to take actions against UAS under 10
USC 130i, but similar authority provided to DHS and DOJ (6
USC 124n)was significantly constrained. And more importantly, no such authority
has been extended to the private sector.

Interestingly, the Senate bill is closely tied to the
authorizations provided in §124n and actually would terminate the authority for
the position when §124n terminates on October 25th, 2022. The House
bill is not tied to the DHS counter-UAS authority and has no termination
provisions.

I think that this bill could be improved by expanding the
authorized activities of DHS under §124n to include the protection of
facilities covered under the Chemical Facilities Anti-Terrorism Security
(CFATS) program by inserting a new §2(b) into the bill {while re-designating
the current (b) as (c)}

(b) Chemical Facility
Anti-Terrorism Standards Program

(1) In general – 6 USC 124n(k)(3)(C)(i)
is amended by adding (IV):

“(IV) protection of facilities
covered under 6 CFR Part 27;

(2) The Secretary will publish
regulations amending 6 CFR part 27 providing procedures for covered facilities that
report quantities of release security issue chemicals of interest as defined in
Appendix A to 6 CFR Part 27 to:

(B) intercept communications between
the controller and the UAS in accordance with §124n(b)(1)(A);

(C) warn the operator in
accordance with §124n(b)(1)(B); and

(D) seize or exercise control
of the UAS that is in the air space directly over the reported facility
boundaries in accordance with §124n(b)(1)(D) if and only if the operator has
been warned as in (C) above.

PHMSA is soliciting public comments on these proposed
changes to the HMR. Comments need to be submitted by October 15th,
2019. Comments may be submitted via the Federal eRulemaking Portal (www.Regulations.gov; Docket #PHMSA-2017-0120).

Today the DOE published a request for comments in the
Federal Register (84
FR 40399-40400) on version 2.0 of its Cybersecurity
Capability Maturity Model (C2M2). According to the notice the “C2M2 Version
2.0 leverages and builds upon existing efforts, models, and cybersecurity best
practices to advance the model by adjusting to new technologies, practices, and
environmental factors.”

• Separating the maturity indicator levels (MILs)
from the Information Sharing and Communications domain to include sharing
practices in the Threat and Vulnerability Management and Situational Awareness
domains

• Movement of Continuity of Operations MILs from the
Incident and Event Response to the Cybersecurity Program Management domain to
account for continuity activities beyond response events

• Increasing the use of common language throughout
the model.

Public comments are being solicited, but there are no
instructions within the document on how to submit comments. It does not look
like the Federal eRulemaking Portal could be used since there is no docket
number provided in the notice. An email
address has been provided for Timothy Kocher, who is the DOE officer who
signed the notice, but it would be unusual for public comments to be sent
directly to him. I have an email in route to Kocher and will update this post
as more information becomes available.

I will be watching this bill for specific language for the
definition of ‘domestic terrorism’ that includes attacks on critical
infrastructure (like chemical plants) or attacks on industrial control systems.
I am not holding my breath; this is probably just a knee jerk reaction to
recent mass shootings.

Tuesday, August 13, 2019

Today the DHS NCCIC-ICS published a control system security
alert for products from Mitsubishi Electric; three control system security
advisories for products from Siemens, OSIsoft, and Delta Industrial; and four
control system advisory updates for products from Siemens.

Mitsubishi Alert

This alert
describes a report of seven vulnerabilities in the Mitsubishi smartRTU and INEA
ME-RTU. The vulnerabilities were reported
(with exploit code) by Mark Cross (@xerubus) (NCCIC-ICS did provide the link to
the report, a first). Cross disclosed the vulnerabilities to CISA and published
the public disclosure under the 45-day disclosure policy.

The seven reported vulnerabilities are:

• OS command injection - CVE-2019-14931;

• Unauthenticated download of configuration file - CVE-2019-14927;

• Stored cross-site script - CVE-2019-14928;

• Use of hard-coded cryptographic keys - CVE-2019-14926;

• Hard-coded user passwords - CVE-2019-14930;

• Plaintext password storage - CVE-2019-14929; and

• Incorrect default permissions - CVE-2019-14925

Siemens Advisory

This advisory
describes an uncontrolled resource consumption vulnerability in the Siemens SCALANCE
X switches. The vulnerability was reported by Younes Dragoni from Nozomi
Networks. Siemens has provided generic workarounds. There is no indication that
Dragoni has been provided an opportunity to verity the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could
remotely exploit the vulnerability to cause a denial-of-service condition.

OSIsoft Advisory

This advisory
describes two vulnerabilities in the OSIsoft PI Web API. The vulnerabilities
are self-reported. OSIsoft has an update to mitigate the vulnerability.

NCCIC-ICS reports that an uncharacterized attacker could
remotely exploit the vulnerabilities to allow direct attacks against the
product and disclose sensitive information.

Delta Advisory

This advisory
describes two vulnerabilities in the Delta DOPSoft Human Machine Interface
(HMI) editing software. The vulnerability was reported by kimiya of 9SG
Security Team via the Zero Day Initiative. Delta has a new version that
mitigates the vulnerabilities. There is no indication that kimiya has been
provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Out-of-bounds read - CVE-2019-13513; and

• Use after free - CVE-2019-13514

NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow information disclosure,
remote code execution, or crash of the application.

SIMATIC WinCC Update

This update
provides additional information on an advisory that was originally
reported on July 11th, 2019. The update provides new affected
version information and mitigation links for:

• SIMATIC WinCC V7.3;

• SIMATIC PCS 7 V8.1, and

• SIMATIC WinCC Runtime Professional V14

Spectrum Power Update

This update
provides additional information on an advisory that was originally
reported on July 9th, 2019. The update provides corrected version
information for Spectrum Power 5.

SIPROTEC Update

This update
provides additional information on an advisory that was originally
reported on July 9th, 2019. The update provides additional
mitigation information.

SIMATIC PCS7 Update

This update
provides additional information on an advisory that was originally
reported on July 9th, 2019. The update provides corrected
version information and mitigation links for:

• SIMATIC WinCC V7.3; and

• SIMATIC PCS 7 V8.1

NOTE: Siemens published an additional two advisories and two
updates today that were not reported by NCCIC-ICS. They may be reported on
Thursday, if not, I will report on them on Saturday.

Last month Sen. Gardner (R,CO) introduced S 2095, the Enhancing
Grid Security through Public-Private Partnerships Act. The bill would require
the Department of Energy (DOE) to establish a voluntary security program for
electric utilities and provide a report to Congress on cybersecurity of
electricity distribution systems. This bill is very similar to HR
359, which was ordered
favorably reported by the House Energy and Commerce Committee last month.

Differences in the Bills

There are a number of differences between the two bills.
Many of them are strictly structural; the definitions are in §2 of the Senate bill and
§5 of the House
bill. Others are editorial in nature; adding ‘of a State’ following ‘political
subdivision’ in the Senate version. These changes are of interest only to grammarians,
lawyers and judges.

Other changes are of more consequence. The senate bill does
not include the section on electricity interruption information that was
included as §4 in
the House bill. There are two changes (an addition and a deletion) to the
voluntary security program described in §3
of S 2095 (see below). Finally, the Senate bill adds a 1 year deadline for the
required report to Congress on cybersecurity and distribution systems.

Security Program

The security program in this bill was originally introduced
in HR
5240 in the 115th Congress. That program would have required DOE
to:

S 2095 modifies that program by removing the requirement for
DOE to assist with cybersecurity training. This bill would substitute a
requirement for DOE to “to assist with threat assessment and cybersecurity
training for electric utilities” {§3(a)(2)}.

Moving Forward

Neither Booker nor his single cosponsor {Sen. Bennet (D,CO)}
are members of the Senate Energy and Natural Resources Committee to which this
bill was assigned for consideration. With no representation on that Committee
it is unlikely that this bill will receive consideration.

The House version of the bill received bipartisan support in
the markup of the bill last month in the House Energy and Commerce Committee. I
suspect that this bill would also receive bipartisan support if it were
considered in Committee. The changes described above would have no significant
bearing on the support this bill would receive.

NOTE on HR 359

In my post on the introduction of HR 359 I noted that it
would be considered by the full House on January 11th, 2019 under
the suspension of the rules process. This had
been scheduled, along with the consideration of two other cybersecurity
bills, HR
360 and HR
370. None of those bills were considered.

It looked like the new Democratic leadership was going to
act quickly (if somewhat inadequately) on some critical infrastructure
cybersecurity measures. It did not happen for reason which have not been made
public. With that initial quick intent to pass these three cybersecurity bills,
it is odd that no action was taken in Committee until a subcommittee markup
(with no amendments) in May and full Committee markup in July.

The bipartisan support for these bills in Committee would
seem to indicate that the bills would easily pass in the House under the
suspension of the rule process. I would have thought that the initial pass on
considering these bills indicated that there was an intent to revise these
bills to include some sort of regulatory authority to insure that facilities complied
with the ‘voluntary measures’ included in the bill. The lack of amendments in
Committee would seem to indicate that the leadership has decided that such
cybersecurity mandates were not going to make it to the President’s desk.

I suspect that all three House bills will be considered by
the full House in September.

Yesterday the OMB’s Office of Information and Regulatory
Affairs (OIRA) announced
that it had received a final rule from DOT’s Pipeline and Hazardous Material Safety
Administration (PHMSA) concerning underground storage facilities for natural
gas. According to the abstract for this rulemaking in the 2019 Spring Unified
Agenda, this final rule is intended to finalize the interim final rule that was
published in December 2016.

Interesting side note: PHMSA currently has 15 rulemakings under
review at OIRA.

Monday, August 12, 2019

I had an interesting discussion last week with a reader who
must remain anonymous (for professional reasons) about the technically
still pending Ammonium
Nitrate Security Program (ANSP) and explosive targets sold under the brand
name Tannerite®. Anon was concerned that
the sale of these binary explosives was not covered under the ‘proposed’ ANSP (all
but dead) nor in the recently
released Sandia Labs report on ammonium nitrate.

Anon is correct that the commercial sale of these targets
would probably not be covered by the proposed ANSP. There is a 25-lb minimum on
the amount of ammonium nitrate (AN) being sold to require buyer registration
under that program. With the largest single packaging currently being sold on
the Tannerite web site containing only eight ‘one-pound targets’ (containing
presumably substantially less than 1-lb of AN), the company could very
reasonably restrict sales enough to keep their customers from having to
register).

Anon’s question is why would an ‘explosive target’ not be
included in a security program designed to block the use of ammonium nitrate in
improvised explosive devices (IED)? The answer to that question addresses the
problem that DHS continues to have with their congressional requirement to
regulate ammonium nitrate security to prevent its use in IED’s; money. And,
unfortunately, we are not talking about the money lobbyists are spending to
stop regulations; we are talking about the cost of regulations.

ANSP Costs

DHS estimated that
the cost of their proposed Ammonium Nitrate Security Program would range
somewhere between $300 million to $1.041 billion over 10 years with the actual
expected cost closer to about $670.6 million. The largest variable in that overall
cost estimate (and the largest part of the estimated cost) is the cost of the
point-of-sale regulations.

Congress requires that potential regulators look at the cost
benefit of their proposed regulations, and DHS did so with their ANSP
notice of proposed rulemaking (NPRM). Using the Murrah Building attack (the
only large scale AN based terrorist attack in the United States as their prevention standard,
DHS calculated a payback period of 14.1 years for the ANSP. Or in plain-speak,
if the ANSP prevented a Murrah scale attack every 14.1 years, the program would
pay for itself. Since it has already been 24 years since that bombing, and a
similar attack has not taken place, and the ANSP has not been in place, it seems
like the price of the program is too large. That is, in fact, why DHS has not
finalized the ANSP, it is not justified on a cost/benefit basis.

Smaller Scale Attacks

It would take a huge number of explosive targets (or medical
cold-packs, another small-scale product that uses ammonium nitrate) to make up
a Murrah Building scale bomb. The buyers of that type of quantity would stand
out even without the ANSP and some law enforcement agency would be
investigating. A huge number of small-scale purchases would not attract attention
but would be logistically very difficult to accomplish.

No, binary targets and cold-packs would only be used in
small-scale devices like the IEDs used in the September
2016 attacks in New York City. The one device that detonated did not kill
anyone, but it did injure 29 people. The ANSP would not have prevented that attack.
A federal program that would prevent that scale of IED attack by limiting the
purchase of small amounts of ammonium nitrate would be significantly more
expensive. It would have to prevent more than one such attack a year to be ‘cost
effective’ based upon the $95 million cost per-year estimate for the ANSP
program. The higher cost of the expanded program would probably require
preventing an attack every couple of months to be effective.

Of course, it should be remembered that for small-scale IED’s
ammonium nitrate-based weapons are fairly complicated and requires some small
level of expertise to employ. There are a number of lesser skilled options
available to the casual IED maker, black-powder or gunpowder pipe bombs being
the most common examples in the US. And I will not even discuss the much less
dangerous ‘mail-box
bombs’.

This is one of the reasons that DHS has reached
out to stakeholders about looking at the broader improvised explosive
device issue. It is much too early to talk about this effort as being a rulemaking
(especially since Congress has not specifically provided authority for an
expanded rule making), but folks seem to be looking at establishing some sort
of voluntary retail identification check program for some sort of list of
chemicals that could be used to make IEDs (almost certainly not including
mail-box bombs).

Saturday, August 10, 2019

This week we have three new vendor disclosures concerning
the VxWorks URGENT/11 vulnerabilities and three researcher announcements of
vulnerabilities in products from Reliable Controls (2) and VISAM

URGENT/11 Advisories

Three new vendors have published advisories related to the VxWorks
URGENT/11 vulnerabilitiesreported by Amis Labs; Bosch, Omron
and Philips. Below I have listed links to all of the vendor disclosures that I
have discovered to date:

It is great to see that Omron is reporting no exposure to
the vulnerabilities. That is as valuable to their customers as the advisories
being published by affected vendors.

Reliable Controls Advisories

MACH-ProWeb Advisory

Applied Risk published a
report describing a relflected XSS vulnerability in the Reliable Controls MACH-ProWeb
BACnet Building Controller. Applied Risk reports that they have not received a
response from the vendor to their January 29th, 2019 report on this vulnerability.

Reliable Controls LicenseManager
Advisory

Applied Risk published a
report describing a privilege escalation vulnerability in the Reliable Controls
RC-LicenseManager in the Reliable Controls RC-Studio (MACH-System) software. Applied
Risk reports that they have not received a response from the vendor to their January
29th, 2019 report on this vulnerability.

VISAM Advisory

Applied Risk has publihsed a
report describing five vulnerabilities in the VISAM Automation Base (VBASE) HMI
/ SCADA. Applied Risk reports that as of July 8th, 2019 (apparently
the date of last communication from VISAM) no mitigation has been made
available for these vulnerabilities.

Friday, August 9, 2019

Last month Sen. Markey (D,MA) introduced S 2181,
the Cybersecurity Standards for Aircraft to Improve Resilience (Cyber AIR) Act
of 2019. This bill is very similar to S
2764 that Markey introduced in the second half of the 114th
Congress.

Differences

The major difference between the two bills is that the
reporting congressional reporting requirements found in §5 of the earlier bill have been removed from the
current version. That would have required annual reports to Congress on the
attacks reported to the FAA by air carriers and manufacturers under provisions
of §3.

Two other changes are found in §5 of the current bill. The formatting is changed
from §6 of S 2764
and the last subparagraph {§6(c)(2)}
from the earlier bill has been deleted in S 2181. That subparagraph would have required
that the report to Congress from the FAA-FCC Leadership Group would have been
required to be “submitted in unclassified form, but may include a classified
annex”.

Moving Forward

Markey is still a member of the Senate Commerce, Science,
and Transportation Committee and he has added a cosponsor {Sen. Blumenthal (D,CT)}
who is a senior Democrat on that Committee. This increases the likelihood that
this bill would see consideration in Committee. In the 114th Congress.
I suspect that the bill, if considered, would receive substantial opposition
from Republicans, thus killing any chances that the bill would move to the
floor of the Senate.

Commentary

There is no reference in this bill to cooperation with the
DHS Cybersecurity and Infrastructure Security Agency. CISA was not in existence
when the earlier version of the bill was introduced, but I would have expected
this version to be updated to substitute CISA for generic references to cooperation
or coordination with ‘the Secretary of Homeland Security'. CISA is, of course,
supposed to be the Federal government’s expert on all thing’s cybersecurity.

Over the years I have been a strong proponent of actively
involving ICS-CERT and now CISA in anything involving Federal oversight of
control system security in all of its guises. Mainly, I have asserted that the
limited availability of control system security expertise in government (and to
a somewhat lesser extent in the private sector) meant that that the
localization of that talent in a single agency would probably make a great deal
of sense. I am starting to rethink that proponency (hmmm, that may be a new
word according to spell check).

First, it appears that DHS in general, and CISA in particular,
has ‘deemphasized’ the importance of control system security expertise with the
effective elimination of ICS-CERT. This has always been the problem of putting
all of your ‘eggspertice’ in one administrative basket; bureaucratic
adjustments in the size of that basket have unintended consequences outside of
the agency’s mandate.

More importantly, not requiring safety regulatory agencies
(like the FAA in this case) to have cybersecurity expertise in general, and
control system expertise in particular, fails to recognize the impact of
cybersecurity on safety. Safety regulators are going to increasingly become control-system
cybersecurity regulators as more and more safety systems rely on interconnected
control-system components. Safety regulatory agencies are going to have to be
forced by Congress to formalize and grow their cybersecurity capabilities.

With that in mind, I would like to suggest an addition to §3 of the bill:

(c) The Secretary will establish
within the FAA an Aviation Cybersecurity Office (ACO) to receive the cyberattack
reports described in (a) and develop recommendations for, and implement,
regulatory actions described in (b). The Director of the ACO will be familiar
with avionics control systems and cybersecurity of such systems. Additionally,
the ACO will:

(2) Prepare anonymized reports
on such incidents that would identify security vulnerabilities (as defined in 6
USC 1501) that could affect other carriers and manufacturers and coordinate the
disclosures of those security vulnerabilities;

(3) Establish procedures and
processes by which security researchers can report security vulnerabilities for
further coordinated disclosure; and

(4) Coordinate with the National
Cybersecurity and Communications Integration Center on sharing security vulnerability
information.

Thursday, August 8, 2019

Today the DHS NCCIC-ICS published an update for a previously
issued control system security advisory for products from Wind River.

The update provides additional information on an advisory
that was originally
published on July 30th, 2019. The new information is the
addition of two new vendor advisories concerning the VxWorks vulnerabilities:

Wednesday, August 7, 2019

Yesterday with both the House and Senate meeting in proforma
sessions (almost everyone was back home or on the road, raising money or
connecting with local voters) there were 15 bills introduced. Two of those may
receive future attention in this blog:

Both are a bit of a stretch for coverage here, but they may
contain specific language relating to control system security issues.

I will note in passing that it seems odd for a Democrat to
introduce federal preemption language; that is usually a ploy to limit the
ability of States to be more proactive and business constricting. I may cover
this bill even if it does not include ICS language.

About Me

Patrick Coyle is a freelance writer dealing with chemical security and safety issues. He has 15 years experience in the US Army with extensive experience in training development, delivery and evaluation. He spent 20 years working in the chemical process industry developing and improving chemical manufacturing processes with a large emphasis on chemical and process safety. He currently writes a daily blog, the Chemical Facility Security News, examining the issues associated with the Chemical Facility Anti-Terrorism Standards administered by the Department of Homeland Security.